PHP Login System

[Jam0864]

Learnt some MySQL database programming in the last few days, so I used it in conjunction with the PHP skills I learnt over the weekend to create this login script.

- Reads username/password combinations from a MySQL database rather than forcing each username/password to be hard coded into the script,
- Allows users to register a username/password for use with the login system,
- In the registration process it asks for your email, which can be later used to email you with your login details,
- Stops you from using someone else's username or email address in registration,
- Logs IP Addresses when someone registers and ties it to their account,
- Detects if you leave a field blank in registration, forget an @ symbol in the email address or put your password in differently between the Password and Confirm Password fields.

http://www.jam0864.co.cc/php/loginscript/

[bluemonkmn]

Speaking of preventing duplicate user names, I've always wondered if anyone was ever stupid enough to add a validation with the following error message:
"Sorry, you can't use password 'xyz' because it's already being used by user 'abc'"

[SmartBoy16]

 :laugh: :laugh: :laugh: :laugh: :laugh: :laugh:

[durnurd]

So are you storing the actual password in the database or are you storing some hash (perhaps a salted hash)?  For security's sake, it's much safer to store a one-way hash of the data that you compare against when they enter their password.

[Jam0864]

"Sorry, you can't use password 'xyz' because it's already being used by user 'abc'"

aha!   

So are you storing the actual password in the database or are you storing some hash (perhaps a salted hash)?  For security's sake, it's much safer to store a one-way hash of the data that you compare against when they enter their password.

For now I am storing actual passwords. I was thinking of using md5 encryption, and I still plan to, but will leave that until another day. I have a general idea how to do it, just got to do some googling to learn the specifics, then I can implement it.

EDIT:// looking over some stuff in the google results, it seems that it's very easy to do md5 hashing, and not all that much harder to add a static salt, or even better, a dynamic salt. (you could use their email address as the salt )

Code: [Select]

<?php
$salt = $userid;
$password = md5($salt.md5($password.$salt));
?>
Just have to implement that in the right spots.


EDIT2:// All the passwords are now hashed before being stored, with the salt being your email address.

I spent 15 minutes trying to figure out why md5 was generating different key's between my login and my register files (so registering would write one key to the database, then login would make a different key and you wouldn't be able to login) then I realised in the register file, it was trying to read the email from the database, which hadn't yet been written to. 

[Jam0864]

Update from last post (my session ended, couldn't edit in)

The salt is now the ip address you signed up with, rather than your email, which should make it more secure.

The md5 encryption has broken my password reset feature, because now the password gets sent in the already-hashed format and can't be used. I'm fiddling around with generating random numbers as a password to see if I can get it going.

EDIT:// The forget password link now generates a random number, sends it to you, then hashes it and stores it in the database. There's one problem, and that is that anyone can put in someone's username, and their email if they happen to know it, and their password will get reset. 

[bluemonkmn]

For now I am storing actual passwords. I was thinking of using md5 encryption, and I still plan to, but will leave that until another day. I have a general idea how to do it, just got to do some googling to learn the specifics, then I can implement it.

Are you aware of the PASSWORD function in MySQL (are you using MySQL?) designed for 1-way hashing of passwords stored in the database?

Edit:  Oops, It says you should not use PASSWORD in your own applications.  Never mind.

[durnurd]

To resolve the auto-reset issue, you should create another column that stores the temporary password, and send that to the email address.  They can then log in with either password, and once they do, they can reset their normal password.  If they log in with their normal password, then delete the temporary one.

Another option would be to have a link sent in the email that automatically logs them in and allows them to reset their password.